The Council recently conducted its most successful Request for Comment (RFC) ever - on the initial draft of Payment Card Industry Data Security Standard (PCI DSS) v4.0. To say the participation and contributions were surprising is an understatement. Our stakeholders stepped forward with more responses than we have ever seen before. We are well underway in our review of these comments, but it is a large effort. Global Participating Organizations (POs) and Assessors produced over 3,200 comments – more feedback than any prior PCI SSC RFC on any subject or standard. Almost 40% of the PO feedback was from merchants.
During the coming months, the PCI Security Standards Council will continue reviewing comments from the RFC. We have a lot of work ahead of us before PCI DSS v4.0 is finalized, and we want to let stakeholders know that the final version of the PCI DSS v4.0 won’t be published until 2021 and won’t be required for 2 years after the publication date. We strongly urge all entities to wait until the final version of PCI DSS v4.0 is released before trying to implement any new or updated requirements. Please remember that the PCI DSS v4.0 RFC materials were draft only, and that the final version of the standard will be different from the RFC versions.
Industry participation and collaboration helps the Council effectively evolve security standards and validation, secure emerging payment channels, increase standards alignment and consistency, and ensure the standard continues to meet the security needs of the payments industry. Per our published RFC process, PCI SSC reviews and considers every piece of feedback. We are currently refining the draft of PCI DSS v4.0 in preparation for another RFC, currently scheduled for later in 2020. We will prepare an RFC Feedback Summary for RFC participants showing how the feedback was addressed. The feedback summary document will be provided to RFC participants via the PCI Portal when the next PCI DSS RFC takes place.
Stay tuned for further communications from us about the feedback received and the next steps for PCI DSS v4.0. More information about our upcoming RFCs and our RFC process can be found on our Request for Comments page.
On behalf of the entire PCI Council team, thank you to all Participating Organizations and Assessors that are contributing to the evolution of PCI DSS v4.0.
Not a Participating Organization (PO) but want to participate in PCI SSC RFCs? Learn about membership benefits and register to become a PO here.
